Thursday, November 28, 2013

Resource Management : Tcp Dump

Analyzing network details is very important for a system admin. As a application server admin there are cases where I need to analyze the network details in order find the reasons for the slow performance.

Tcp Dump in Linux machines is a very use full network packet analyzer. It comes in many flavors of Linux systems.

The tcpdump command should be issued as a root user or we need to make sure to have sufficient privilileges on a network device or a socket. The tcpdump command allows to save packet information to a file and can also read file likes these. The data saved using the tcp-dump command can also be read by tools like wire-shark.

In this article we will see some of the basic uses of tcpdump and how to use the command. Since the output of the command cane be large some time I will just give the commands.

1. Basic usage
[root@vx111a ~]# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:46:17.437843 IP 172.16.100.154.53950 > 224.0.0.252.hostmon: UDP, length 22
17:46:17.438254 IP 172.16.101.68.33970 > dns1.dwl.co.in.domain: 22161+ PTR? 252.0.0.224.in-addr.arpa. (42)
17:46:17.448783 IP 172.16.101.36.netbios-dgm > 172.16.101.255.netbios-dgm: NBT UDP PACKET(138)
17:46:17.457622 IP dns1.dwl.co.in.domain > 172.16.101.68.33970: 22161 NXDomain 0/1/0 (99)
17:46:17.457781 IP 172.16.101.68.37179 > dns1.dwl.co.in.domain: 34469+ PTR? 154.100.16.172.in-addr.arpa. (45)
17:46:17.538052 IP 172.16.100.154.53950 > 224.0.0.252.hostmon: UDP, length 22
17:46:17.624315 IP 172.16.101.16.51319 > 224.0.0.252.hostmon: UDP, length 22

7 packets captured
48 packets received by filter
11 packets dropped by kernel

We need to kill the process for the capturing to stop.

2. Find out the Interface
[root@vx111a ~]# tcpdump -D
1.eth0
2.eth1
3.usbmon1 (USB bus number 1)
4.usbmon2 (USB bus number 2)
5.any (Pseudo-device that captures on all interfaces)
6.lo

3. Capture packet Data for a Interface
[root@vx111a ~]# tcpdump -i eth0

4. Capture N number of packets on a Interface
[root@vx111a ~]# tcpdump -c 2 -i eth0

5. Capture Packets for host www.google.com
[root@vx111a ~]# tcpdump host www.google.com
6. Capture packets for a Specific Protocol
[root@vx111a ~]# tcpdump udp

7. Capture packets for a Specific Port
[root@vx111a ~]# tcpdump port http

8. Write packet Information to a File
[root@vx111a ~]# tcpdump -w hello.pcap -i eth0

9. Read packet Information From a File
[root@vx111a ~]# tcpdump -tttt -r hello.pcap

10.Read Packets greater than specific Bytes
tcpdump -w hello.pcap greater 1024

11.Read Packets lesser than specific Bytes
tcpdump -w hello.pcap less 1024

12. Receive packets flows on a particular port using tcpdump port
tcpdump -i eth0 port 22

13. Capture packets for particular destination IP and Port
tcpdump -w hello.pcap -i eth0 dst 192.171.10.4 and port 22

14. Capture TCP communication packets between two hosts
tcpdump -w hello.pcap -i eth0 dst 192.171.10.4 and port 22

15.packet capture by tcpdump with file rotation
tcpdump -w /var/log/capture -C 10
First, tcpdump write to 1st file /var/log/capture file until file size become 10,000,000 bytes.
When tcpdump capture a packet and find size of /var/log/capture file has reached 10,000,000 bytes, tcpdump create next generation file var/log/capture1 file and continue writing.

More To Come , Happy Learning J